content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

CIS 1.3.1 Ensure AIDE is installed

Open marcofortina opened this issue 9 months ago • 5 comments

Description of problem:

Check for rule xccdf_org.ssgproject.content_rule_aide_build_database fails on Ubuntu 22.04.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Install AIDE: apt install aide aide-common
  2. Initialize AIDE: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  3. Run SCAP: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_aide_build_database ssg-ubuntu2204-ds.xml

Actual Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  fail

Expected Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  pass

Additional Information/Debugging Steps:

On Ubuntu 22.04 database definition keyword in the /etc/aide/aide.conf file was changed from database=file:/var/lib/aide/aide.db to database_in=file:/var/lib/aide/aide.db.

Adding database=file:/var/lib/aide/aide.db in the /etc/aide/aide.conf as workaround gives this warning:

WARNING: /etc/aide/aide.conf:194: Using 'database' is DEPRECATED. Update your config and use 'database_in' instead (line: 'database=file:/var/lib/aide/aide.db')

marcofortina avatar May 02 '24 10:05 marcofortina

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

dodys avatar May 07 '24 10:05 dodys

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

Yes of course I used successfully the bash remediation. My issue is only to truck a wrong check for database= on Ubuntu 22.04 instead of the new database_in= showing a false error where workaround was not applied.

Is not possible to use <% if "ubuntu2204" in product %> for this rule as fix?

marcofortina avatar May 07 '24 11:05 marcofortina

not really a priority for us now, since database is still supported on 22.04 adding the checks would be required on bash, ansible, oval and rule.yml

dodys avatar May 07 '24 11:05 dodys

not really a priority for us now, since database is still supported on 22.04 adding the checks would be required on bash, ansible, oval and rule.yml

and a reminder that you would still need to keep compatibility to database as people might not have migrated to the new item.

dodys avatar May 07 '24 12:05 dodys

Debian also suffers the same as expected.

dodys avatar Aug 05 '24 07:08 dodys